No Description
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

options.default 8.5KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257
  1. # I'm trying to make this config as simple as possible. Comment out
  2. # options you don't want to use, uncomment them to use them.
  3. # Don't forget to rename this file to 'options'!
  4. # Config file version. Don't change this. Will be used some day to
  5. # figure out if we need to alert the user that they need to redo their
  6. # config file.
  7. CONFIG_VERSION=0.9
  8. # This is for testing purposes.
  9. IPTABLES=/bin/true
  10. IP6TABLES=/bin/true
  11. # Uncomment below to actually activate firewall
  12. #IPTABLES=/sbin/iptables
  13. #IP6TABLES=/sbin/ip6tables
  14. # This is important for loading kernel modules
  15. MODPROBE=/sbin/modprobe
  16. # Extra modules to load such as ftp connection tracking
  17. #MODULES_LOAD="nf_conntrack_ftp nf_conntrack_h323 nf_conntrack_irc nf_conntrack_pptp nf_conntrack_proto_gre nf_conntrack_proto_sctp nf_conntrack_proto_udplite nf_conntrack_sip nf_conntrack_tftp nf_conntrack_sane"
  18. # Run commands before/after rules
  19. PRERUN="$BASEDIR/conf/prerun"
  20. POSTRUN="$BASEDIR/conf/postrun"
  21. # Do we want NAT/Conntrack/Forward features?
  22. #NAT=1
  23. #CONNTRACK=1
  24. #FORWARD=1
  25. # Use old style state matches or new conntrack matches?
  26. # By default, lets use conntrack.
  27. #STATE_TYPE="conntrack"
  28. # Blocking incoming connections by default?
  29. #BLOCKINCOMING=1
  30. # Clamp MSS, useful on DSL/VPN links
  31. # Space separated list of interfaces to apply this on
  32. #CLAMPMSS="ppp0 eth0"
  33. # Default IPv4 policies
  34. # IPV4_PINPUT set to DROP is different from BLOCKINCOMING,
  35. # as BLOCKINCOMING only blocks syn packets for TCP while still
  36. # allowing established connections even if connection tracking is off.
  37. # BLOCKINCOMING does however, deny all incoming UDP just like INPUT=DROP does.
  38. IPV4_PINPUT=ACCEPT
  39. IPV4_POUTPUT=ACCEPT
  40. IPV4_PFORWARD=DROP
  41. # Do we run a LAN DHCP server? Put the interfaces here
  42. # where this server is providing services.
  43. #LANDHCPSERVER="eth0 eth1"
  44. # Primary external interface
  45. # Can be an interface name (ppp0, eth0) or auto
  46. # which will try to detect the proper interface,
  47. # but requires a default route to be properly setup
  48. # first.
  49. # We recommend manually defining this unless you really
  50. # need to automagically detect the interface.
  51. EXTIF="eth0"
  52. # Primary external IP address
  53. # Can be an IP address or auto, which will try to detect
  54. # the primary external IP using the information from EXTIF
  55. # This is mostly useful for people who have a dynamic external
  56. # IP address. Everyone else should manually define this to
  57. # avoid potential detection issues.
  58. EXTIP="auto"
  59. # Program/script for finding the default external interface
  60. # Only used if EXTIF is set to auto
  61. #
  62. # If you need to write your own script to find the info, change below
  63. #EXTIF_FIND="$BASEDIR/bin/get_default_if"
  64. # Pattern for finding the default external interface IP address
  65. # Only used if EXTIP is set to auto
  66. #
  67. # If you need to write your own script to find the info, change below
  68. # note that the script passes the interface from $EXTIF as first option
  69. #EXTIP_FIND="$BASEDIR/bin/get_default_ip"
  70. # Internal Interface
  71. #INTINF=ppp+
  72. # Port forwardings, requires NAT
  73. #PORTFW=$BASEDIR/conf/port-forwards
  74. # Multiport support?
  75. # yes/no/auto (auto will try to detect if we support multiport or not,
  76. # may not always work but is recommended unless you have a reason otherwise)
  77. IPTABLES_MULTIPORT=auto
  78. # Multiport options - use to override defaults
  79. #NF_MULTIPORT="xt_multiport"
  80. #NF_MULTIPORT_MAX_PORTS="7"
  81. # Allow outgoing DNS requests - important if you did not activate connection
  82. # tracking. Set this to the interfaces you wish to use for outgoing requests
  83. # plus the IP addresses of your upstream servers (recommended up to 3) if you need to.
  84. #DNS_REQUESTS_OUT="eth0|4.2.2.1|4.2.2.2|4.2.2.3 eth1"
  85. # TCP/UDP/Protocol to allow
  86. TCPPORTS="20 21 22 53 80 113 123 443"
  87. UDPPORTS="53"
  88. # common protocols to allow include ipsec, gre, and ipv6
  89. ALLOWEDPROTO="41 47 50 51"
  90. # IPs that are allowed to bypass firewall
  91. TRUSTEDIP="127.0.0.1"
  92. # Don't track these IPs, useful in some occasions. Don't
  93. # use otherwise.
  94. DONTTRACK="127.0.0.1"
  95. # Allowed IPs and ports
  96. # this is a more advanced form of TCPPORTS and UDPPORTS,
  97. # and will eventually replace it
  98. #IPV4_ALLOWED=$BASEDIR/conf/ipv4-allowed
  99. # Intercept IPv4 packets for use in a transparent proxy
  100. #IPV4_INTERCEPT=$BASEDIR/conf/ipv4-intercept
  101. # IP range(s) to forward
  102. #ROUTING=$BASEDIR/conf/ipv4-routing
  103. # Mark ipv4 packets for advanced purposes
  104. #IPv4_MARK=$BASEDIR/conf/ipv4-marks
  105. # IP NAT Rules
  106. # SNAT:<INT IF>:<INT IP>:<EXT IF>:<EXT IP>
  107. # MASQ:<INT IF>:<INT IP>:<EXT IF>
  108. # NETMAP:<INT IF>:<INT IP RANGE>:<EXT IF>:<EXT IP RANGE>
  109. #NAT_RANGE=""
  110. # Hacks to either block specific kinds of attacks or fix problems
  111. #
  112. # NS-IN-DDOS - Block DNS DDoS using NS/IN spoof, see:
  113. # http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/
  114. #
  115. # MULTI-NIC-ARP-LOCK - By default, in Linux, arp requests may be answered by interfaces that
  116. # do not actually have the IP in question. In some (alot in my case),
  117. # I have things going through specific wires for a reason. This fixes
  118. # that and makes it behave as expected.
  119. #
  120. #HACK_IPV4="NS-IN-DDOS"
  121. # IP Ranges to block all traffic incoming/outgoing
  122. # New functionality in 0.9.8 obsoletes BLOCKTCPPORTS and BLOCKUDPPORTS
  123. BLOCKEDIP=$BASEDIR/conf/ipv4-blocked
  124. # Strip ECN off of packets - helps with blackholes
  125. # Either individual IPs or 0.0.0.0/0
  126. #STRIPECN="0.0.0.0/0"
  127. # Block private LAN traffic (RFC reserved space) going OUT on these interfaces
  128. # for security reasons. This has the potential to cause issues if your
  129. # provider uses private IP space for uplinks in PPPoE/PPPoA, so don't use it
  130. # and use BLOCK_INCOMING_RFC1981 instead.
  131. #BLOCK_OUTGOING_RFC1918="ppp0"
  132. # Block private LAN traffic (RFC reserved space) coming IN on these interfaces
  133. # for security reasons. This is a bit more safer to use if your provider uses
  134. # private IP space for the other end of PPP links.
  135. #BLOCK_INCOMING_RFC1918="ppp0"
  136. # RFC1918 Space override, don't change or uncomment this unless you absolutely need to
  137. #RFC1918_SPACE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
  138. # IPv6 related features. Commenting out IPV6 variable disables ALL
  139. # IPv6 related items
  140. #IPV6=1
  141. # Do we want IPv6 FORWARD and Connection tracking features?
  142. #IPV6_FORWARD=1
  143. #IPV6_CONNTRACK=1
  144. # Default IPv6 policies
  145. # IPV6_PINPUT set to DROP is different from IPV6_BLOCKINCOMING,
  146. # as BLOCKINCOMING only blocks syn packets for TCP while still
  147. # allowing established connections even if connection tracking is off.
  148. # BLOCKINCOMING does however, deny all incoming UDP just like INPUT=DROP does.
  149. IPV6_PINPUT=ALLOW
  150. IPV6_POUTPUT=ALLOW
  151. IPV6_PFORWARD=DROP
  152. # Allow outgoing DNS requests - important if you did not activate connection
  153. # tracking. Set this to the interfaces you wish to use for outgoing requests
  154. # plus the IP addresses of your upstream servers (recommended up to 3) if you need to.
  155. #IPV6_DNS_REQUESTS_OUT="eth0|2001::1|2001::2|2001::3 eth1"
  156. # Default block all incoming ipv6 connections?
  157. #IPV6_BLOCKINCOMING=1
  158. # Special case for routers that have ipv6 clients behind them.
  159. # Useful if clients do not have proper ipv6 firewalls. Give list
  160. # of IPv6 netblocks to enable this on.
  161. #IPV6_ROUTEDCLIENTBLOCK=""
  162. # IP range(s) to forward
  163. #IPV6_ROUTING=$BASEDIR/conf/ipv6-routing
  164. # Mark ipv6 packets for advanced purposes
  165. #IPV6_MARK=$BASEDIR/conf/ipv6-marks
  166. # IPv6 Ranges to block all traffic incoming/outgoing
  167. #IPV6_BLOCKEDIP=$BASEDIR/conf/ipv6-blocked
  168. # Clamp MSS, useful on DSL/VPN links
  169. # Space separated list of interfaces to apply this on
  170. # it may be used eventually.
  171. #IPV6_CLAMPMSS="he-ipv6"
  172. # Interface IPv6 comes in on (either tunnel or real network interface)
  173. #IPV6_INT=he-ipv6
  174. # LAN interface for IPv6
  175. #IPV6_LAN=eth1
  176. # Trusted IPv6 ranges
  177. #IPV6_TRUSTED="::1"
  178. # Do we run a LAN DHCP server? Put the interfaces here
  179. # where this server is providing services.
  180. #IPV6_LANDHCPSERVER="eth0 eth1"
  181. # Allowed incoming IPv6 ports (for now, use $TCPPORTS and $UDPPORTS to
  182. # have same for both ipv4 and ipv6)
  183. #IPV6_TCPPORTS=$TCPPORTS
  184. #IPV6_UDPPORTS=$UDPPORTS
  185. # Allowed IPv6 IPs and ports
  186. # this is a more advanced form of IPV6_TCPPORTS and IPV6_UDPPORTS,
  187. # and will eventually replace it
  188. #IPV6_ALLOWED=$BASEDIR/conf/ipv6-allowed
  189. # IPv6 range to forward
  190. #IPV6_FORWARDRANGE=""
  191. # Allow critical ICMP messages to go through, such as packet too big.
  192. # You should _really_ make sure you don't disable this if you have any
  193. # kind of MTU changes inside or outside your network.
  194. # Allows: time-exceeded packet-too-big
  195. IPV6_ICMP_CRITICAL=1
  196. # Allow other common IPV6 ICMP messages through the firewall. Though not
  197. # really critical, these can help with general IPv6 usage/diagnostic
  198. # Allows: destination-unreachable parameter-problem
  199. #IPV6_ICMP_OPT=1